Latest news about information security threats and incidents

Prevention of security threats and incidents described below is wiser and cheaper than forensic investigations and mitigation of the consequences of a cyber attack. Use our services to find and mitigate your security vulnerabilities before the security threat agents find them.


Gemalto and R3 pilot blockchain technology to put users in control of their Digital ID

By creating and managing their own ‘Self-Sovereign’ Digital ID, users can enroll with a host of different digital banking, eCommerce and eGovernment services, without having to go through repeated due diligence processes for each of them. This distributed approach to Digital ID management enables....

Posted on 19 September 2018 4:03 am on www.helpnetsecurity.com


Cryptocurrency exchanges at risk of manipulation: report

Several cryptocurrency exchanges are plagued by poor market surveillance, pervasive conflicts of interest and lack sufficient customer protections, the New York Attorney General's office said in a report. The study found that online platforms where virtual currencies such as bitcoin can be bought....

Posted on 19 September 2018 1:33 am on www.computerworld.co.nz


Hospital Insider PHI Theft Case: Lessons to Learn

A case involving alleged insider theft of protected health information from a hospital in New York illustrates why healthcare organizations need to take extra precautions to prevent similar incidents. See Also: 2018 Risk Management: Aligning Security, Risk & Executive Teams Key insider theft....

Posted on 19 September 2018 1:26 am on www.govinfosecurity.com


Australia - Just 13 – no, er, make that 3,200 punters hit in Oz's Perth Mint hack

#1229679: Australia - Just 13 – no, er, make that 3,200 punters hit in Oz's Perth Mint hack. Unnamed third-party provider spaffed customer data A computer security breach at Perth Mint first thought to have affected just 13 customers turned out to be more widespread – with more than 3,000 punters now screwed over by hackers.

Posted on 18 September 2018 11:48 pm on brica.de


Critical RCE Peekaboo Bug in NVR Surveillance System, PoC Available

A critical vulnerability in software from a global vendor of video surveillance equipment puts at risk the security of video feeds from over 100 camera brands and more than 2,500 camera models. Adversaries exploiting the security bug could take complete control of the affected equipment, allowing....

Posted on 18 September 2018 11:25 pm on www.bleepingcomputer.com


Symantec offers free website spoofing protection for US midterm elections

News and articles about cyber security, information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, trojans. Symantec offers free website spoofing protection for US midterm elections. After Microsoft and Facebook, now Symantec, too,....

Posted on 18 September 2018 10:10 pm on www.itsecuritynews.info


Symantec offers free website spoofing protection for US midterm elections

Symantec, one of the largest US-based cyber-security firms, has launched today a free security service for candidates and political campaigns involved in the US 2018 midterm elections. The service is a website spoofing detection system that alerts candidates, political organizations, or election....

Posted on 18 September 2018 9:12 pm on www.zdnet.com


Cyberworld on Rewind Mode: New Phishing Attack Stealing Passwords Using Old Tricks

The phishing world has been on rewind mode as old tactics are making periodical comebacks; using an old trick, a new phishing campaign is attempting to steal sensitive information from users like their login credentials and payment details and a lucrative claim of refunding a tax which can only be claimed online is being made to lure the gullible.

Posted on 18 September 2018 8:52 pm on www.ehackingnews.com


Spam Filtering Cheat Sheet: 14 Ways to Reduce Spam

What Is Spam? Spam is usually defined as irrelevant or unsolicited messages sent over the Internet, typically to a large number of users, for the purposes of advertising, phishing, spreading malware and other annoyances. Spam — from unsolicited junk mail to dodgy emails with potentially malicious....

Posted on 18 September 2018 8:38 pm on resources.infosecinstitute.com


Sven Morgenroth Talks About PHP Type Juggling on Paul’s Security Weekly Podcast

Watch episode 572 of Paul’s Security Weekly, during which one of our Security Researchers, Sven Morgenroth examines data types and PHP Type Juggling Vulnerabilities. During the show, hosted by Paul Asdoorian, Sven explains: Sometimes when you have different data, you need to compare it.

Posted on 18 September 2018 8:24 pm on www.itsecuritynews.info


Judge upholds paperless voting in Georgia, but pressures for change

A federal judge on Monday denied a request by Georgia voters to have the state refrain from using its paperless voting machines for the midterm elections and use paper ballots statewide. Plaintiffs in the ongoing case had asked for a preliminary injunction on the the use of direct-recording....

Posted on 18 September 2018 6:51 pm on www.cyberscoop.com


Dangerous Pegasus Spyware Has Spread to 45 Countries

The infamous Pegasus spyware, which targets iPhones and Android devices, has allegedly infiltrated 45 different countries across the globe — and six of those countries have used surveillance malware in the past to abuse human rights, a group of researchers claimed Tuesday.

Posted on 18 September 2018 5:44 pm on threatpost.com


Mattis condemns Russian influence-peddling in Macedonia

SKOPJE, Macedonia (AP) — Defense Secretary Jim Mattis on Monday condemned Russia's efforts to use its money and influence to build opposition to an upcoming vote that could pave the way for Macedonia to join NATO, a move Moscow opposes. Mattis told reporters traveling with him to Skopje that there....

Posted on 18 September 2018 5:21 pm on www.yahoo.com


New McAfee consumer portfolio delivers enhanced speed, effectiveness and security features

News and articles about cyber security, information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, trojans. New McAfee consumer portfolio delivers enhanced speed, effectiveness and security features.

Posted on 18 September 2018 4:51 pm on www.itsecuritynews.info


Cybersecurity firm: More Iran hacks as US sanctions loomed

DUBAI, United Arab Emirates (AP) A cybersecurity firm is warning that Iranian government-aligned hackers have stepped up their efforts in the wake of President Donald Trump pulling America from the nuclear deal. Officials with FireEye said on Tuesday the hackers appear to belong to a group it refers....

Posted on 18 September 2018 3:29 pm on www.sfgate.com


US State Department suffered a data breach that exposed some staffers’ personal data

The data breach reportedly affected the State Department’s cloud-hosted unclassified email system. It is unclear whether the State Department has been able to determine the identity of the cybercriminals behind the attack. The US State Department’s cloud-hosted unclassified email system reportedly suffered a breach recently.

Posted on 18 September 2018 3:13 pm on cyware.com


Seizing cyber resilience mastery in financial services

Despite the volume of cyberattacks doubling in 2017, financial services firms are closing the gap on cyberattacks, having stopped four in five of all breach attempts last year, up from two-thirds in 2016, according to Accenture. However, firms will need to improve their security procedures to heed....

Posted on 18 September 2018 3:04 pm on thecybersecurityplace.com


How to create a Hall of Fame caliber cybersecurity playbook

Whether the sport is football, basketball or hockey, all the best coaches have playbooks and reports with the latest information on opponents. They study the playing field and never go into a game unprepared, spending hours fine tuning strategies, whether that’s finding the perfect angle to swoop....

Posted on 18 September 2018 3:04 pm on thecybersecurityplace.com


Future UK Cyber Security Stars Tackle Vulnerable Cryptocurrency in Latest Challenges

On Friday, Her Majesty’s Government Communications Centre (HMGCC) and leading science and engineering company QinetiQ hosted the latest Cyber Security Challenge UK Face-to-Face competition at QinetiQ’s headquarters in Farnborough. The competition saw 28 code-breaking amateurs from across the country....

Posted on 18 September 2018 3:04 pm on thecybersecurityplace.com


ENISA launches Cybersecurity Strategies Evaluation Tool

The European Union Agency for Network and Information Security (ENISA) has launched a tool that will help EU Member States evaluate their priorities according to their National Cyber Security Strategies. ENISA supports EU Member States. Since 2012, ENISA has been supporting the EU Member States to....

Posted on 18 September 2018 2:55 pm on irishinfosecnews.wordpress.com


Bizarre botnet infects your PC to scrub away cryptocurrency mining malware (ZDNet)

Good guy vigilante, or error in coding? A strange botnet has appeared on the scene which instead of infecting devices in order to enslave them, appears to be actually wiping them clean of cryptocurrency mining malware. On Monday, researchers from Qihoo's 360Netlab said that Fbot, a botnet based on....

Posted on 18 September 2018 2:50 pm on www.zdnet.com


New Xbash Malware Attack on Linux & Windows with Botnet, Ransomware & Coinminer Capabilities

News and articles about cyber security, information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, trojans. New Xbash Malware Attack on Linux & Windows with Botnet, Ransomware & Coinminer Capabilities.

Posted on 18 September 2018 11:33 am on www.itsecuritynews.info


UK watchdog has not issued any GDPR data breach-related fines yet

#1229617: UK watchdog has not issued any GDPR data breach-related fines yet. More than three months into the GDPR era, the UK's data privacy watchdog --the Information Commissioner's Office-- has not fined any company yet under the severe terms of the new EU legislation. These fines, when imposed, can go up to €20 million ($23.

Posted on 18 September 2018 11:25 am on brica.de


New Botnet Hides in Blockchain DNS Mist and Removes Cryptominer

#1229613: New Botnet Hides in Blockchain DNS Mist and Removes Cryptominer. A new botnet captured the attention of security researchers through its harmless behavior and the use of an original communication channel with its command and control server. Fbot is a peculiar variant of Mirai that....

Posted on 18 September 2018 11:25 am on brica.de


Air Force mulls cyber RCO - FCW.com

The Air Force is considering launching a cyber rapid capabilities office, Air Force Cyber Commander Gen. Robert Skinner said during the Air Force Association's Air, Space, Cyber conference on Sept. 17. The Air Force is "really pushing" for rapid cyber acquisition capabilities in line with the....

Posted on 18 September 2018 10:47 am on fcw.com


Five computer security questions you must be able to answer right now

Getting senior managers to take computer security seriously is a struggle within many organisations, despite the frequency of high-profile data breaches and hacking incidents. Now the UK government’s computer security agency, the National Cyber Security Centre (NCSC), has put together a list of five....

Posted on 18 September 2018 10:46 am on threatbrief.com


Political Figures Differ Online: Names of Trump, Obama, Merkel Attached to Ransomware Campaigns

Politics and ransomware. No, it’s not a lost single from the Oasis back catalogue, but in fact a relatively recent tactic by ransomware developers looking to exploit the profiles of major politicians to install ransomware on victims’ computers. Donald Trump, Angela Merkel, and now Barack Obama all serve as lures for the unsuspecting.

Posted on 18 September 2018 8:37 am on www.kashifali.ca


80 Percent of US Adults Have Never Considered Cybersecurity Careers, Survey Finds

News and articles about cyber security, information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, trojans. 80 Percent of US Adults Have Never Considered Cybersecurity Careers, Survey Finds.

Posted on 18 September 2018 8:01 am on www.itsecuritynews.info


GovPayNow.com Leaks 14M+ Records

Government Payment Service Inc. — a company used by thousands of U.S. state and local governments to accept online payments for everything from traffic citations and licensing fees to bail payments and court-ordered fines — has leaked more than 14 million customer records dating back at least six....

Posted on 18 September 2018 2:08 am on securityboulevard.com


Cybersecurity decisions that can’t be automated

#1229537: Cybersecurity decisions that can’t be automated. Encourage those inside and outside your team to identify and challenge daily assumptions in order to adapt to change, think differently and make smarter, faster security related decisions. More like this Conceptual images of a woman listening to a stream of abstract letters.

Posted on 18 September 2018 12:50 am on brica.de


Bristol Airport Flight Info Screens Taken Offline by Ransomware Attack

After two days of being blacked out, all flight information screens of the Bristol Airport have finally been brought back up to live, following a ransomware attack which affected multiple computers on the airport's network. The attack began on Friday morning with a ransom note being displayed on all....

Posted on 17 September 2018 9:51 pm on news.softpedia.com


Cybersecurity and training needs boost cost of German warship

BERLIN: A need for more cybersecurity features and plans for a training facility have driven up the projected cost of Germany's new multi-purpose MKS 180 warship programme by 700 million euros to around 5.2 billion euros (4.64 billion pounds), the Defence Ministry said on Monday.

Posted on 17 September 2018 8:34 pm on www.channelnewsasia.com


Facebook bolsters bug bounty program with rewards for user token exposure

Facebook has extended its bug bounty scheme to offer financial rewards for reports of cases where Facebook user access tokens are exposed by third-party services. On Monday, Facebook Security Engineering Manager Dan Gurfinkel revealed the changes , which will give security researchers a minimum....

Posted on 17 September 2018 8:32 pm on www.zdnet.com


Apache Struts & SonicWall’s GMS exploits key targets of Mirai & Gafgyt IoT malware

Security researchers at Palo Alto Networks’ Unit 42 have discovered modified versions of the notorious Mirai and Gafgyt Internet of Things (IoT) malware. The malware have the capability of targeting flaws that affect Apache Struts and Global Management System (GMS).

Posted on 17 September 2018 8:16 pm on www.hackread.com


Wisconsin Officials Prepare for Potential Election Hackers (SecurityWeek)

A private vendor inadvertently introduces malware into voting machines he is servicing. A hacker hijacks the cellular modem used to transmit unofficial Election Day results. An email address is compromised, giving bad actors the same access to voting software as a local elections official.

Posted on 17 September 2018 6:36 pm on www.securityweek.com


Tata Communications partners with SASTRA university for cybersecurity lab - Economic Times

PUNE: Tata Communications has partnered with SASTRA deemed university, Tamil Nadu to fund and establish a cyber security lab at the university. The company aims to co-create an ecosystem by partnering with universities globally to address cyber-security challenges today, while building the skills and capabilities for tomorrow.

Posted on 17 September 2018 5:50 pm on economictimes.indiatimes.com


Greece U-Turns — Now Approves Mr. Bitcoin's Extradition To Russia

#1229474: Greece U-Turns — Now Approves Mr. Bitcoin's Extradition To Russia. Mr. Bitcoin a.k.a. Alexander Vinnik is not going to France nor to the United States; instead, he is now possibly going to his homeland Russia. The Supreme Civil and Criminal Court of Greece on Friday has overruled previous....

Posted on 17 September 2018 5:47 pm on brica.de


What is Wireshark? What this essential troubleshooting tool does and how to use it

Wireshark is the world’s leading network traffic analyzer, and an essential tool for any security professional or systems administrator. This free software lets you analyze network traffic in real time, and is often the best tool for troubleshooting issues on your network.

Posted on 17 September 2018 5:01 pm on www.viruss.eu


Remove KCTF Locker Cryptovirus – Restore .DWG Files

This article will aid you to remove KCTF Locker cryptovirus absolutely. Follow the ransomware removal instructions provided at the end of the article. KCTF Locker is a cryptovirus or at least was designed as such. A note is left with it that states it is made for a CTF cybersecurity competition.

Posted on 17 September 2018 4:26 pm on securityboulevard.com


Critical infrastructure will have to operate if there’s malware on it or not

. Posted on Author As threats and on critical infrastructure are expected to intensify in the near future, cyber-security experts believe that companies and government agencies should be prepared to operate networks even if there’s malware or a threat actor on the network or not.

Posted on 17 September 2018 4:01 pm on www.cybersecurity-review.com


New Bill Aims to Address Cybersecurity Workforce Shortage

A bill introduced last week by U.S. Rep. Jacky Rosen (D-Nev.) aims to address the cybersecurity workforce shortage through a grant for apprenticeship programs. The new bill, called the Cyber Ready Workforce Act , is inspired by Nevada’s recently introduced cybersecurity apprenticeship program .

Posted on 17 September 2018 3:45 pm on www.securityweek.com


Most Important Web Server Penetration Testing Checklist

Web server pen testing performing under 3 major category which is identity, Analyse, Report Vulnerabilities such as authentication weakness, configuration errors, protocol Relation vulnerabilities. 1. “Conduct a serial of methodical and Repeatable tests “ is the best way to test the web server along....

Posted on 17 September 2018 2:23 pm on www.prodefence.org


Watch Out! This New Web Exploit Can Crash and Restart Your iPhone

It's 2018, and just a few lines of code can crash and restart any iPhone or iPad and can cause a Mac computer to freeze. Sabri Haddouche , a security researcher at encrypted instant messaging app Wire, revealed a proof-of-concept (PoC) web page containing an exploit that uses only a few lines of specially crafted CSS & HTML code.

Posted on 17 September 2018 1:03 pm on thehackernews.com


Swiss investigate alleged Russian cyber attack on World Anti-Doping Agency

By John Revill. ZURICH (Reuters) - Swiss prosecutors are investigating whether Russian agents tried to hack the World Anti-Doping Agency, the Office of the Attorney General said on Saturday, broadening the scope of alleged espionage against institutions in Switzerland.

Posted on 17 September 2018 12:54 pm on finance.yahoo.com


New GandCrab ransomware variant hammers Florida school district

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. New GandCrab ransomware variant hammers Florida school district The computer systems in a Florida Keys school district were down for a week due to a ransomware attack.

Posted on 17 September 2018 11:21 am on www.csoonline.com


Businesses Worldwide Expected to Spend $9 Billion on Cyber Insurance by 2020

Cybercriminals have unwittingly created an impressive, and legal, money-making opportunity – cyber insurance. The cyber insurance market is about to become huge, as experts believe companies will double their spending by 2020 to some 8 billion – 9 billion dollars compared to last year’s average of 3.

Posted on 17 September 2018 10:50 am on businessinsights.bitdefender.com


(IN)SECURE Magazine issue 59 released

is a free digital security publication discussing some of the hottest information security topics. Issue 59 has been released today. Table of contents The importance of career pathing in the cybersecurity industry; Securing healthcare organizations: The challenges CISOs face; Fingerprinting HTTP....

Posted on 17 September 2018 10:49 am on www.helpnetsecurity.com


How to gain visibility with global IT asset inventory

In this podcast recorded at Black Hat USA 2018 , Pablo Quiroga, Director of Product Management at Qualys , talks about how to gain unprecedented visibility with global IT asset inventory. Here’s a transcript of the podcast for your convenience. My name is Pablo Quiroga.

Posted on 17 September 2018 9:48 am on www.helpnetsecurity.com


Break out of malware myopia by focusing on the fundamentals

Organizations today suffer from malware myopia, a condition characterized by threat-centric security programs caused by the ease of imagining a takedown by malicious code. Malware myopia is a mental bug; a defect in reasoning that scrambles people’s judgment. If asked point-blank, few would say that malware is an existential threat.

Posted on 17 September 2018 9:23 am on irishinfosecnews.wordpress.com


Designed by Logiprint Estratégica Mexico SQL Injection Vulnerability

################################################################################################# # Exploit Title : Designed by Logiprint Estratégica Mexico SQL Injection Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 14/09/2018 # Vendor Homepage : logiprint.

Posted on 17 September 2018 12:23 am on cxsecurity.com


Healthcare's Many Cybersecurity Challenges — Security Awareness (CyberSpeak Podcast) - Security Boulevard

On this episode of the CyberSpeak with InfoSec Institute podcast, Lisa Hedges, content analyst at Software Advice, Gartner Digital Markets, talks about the many cybersecurity challenges facing the healthcare sector. In the podcast, Hedges and host Chris Sienko discuss: What can be done to prevent....

Posted on 16 September 2018 9:31 pm on securityboulevard.com


New Cold Boot Attacks Can Evade Current Mitigations

#1229382: New Cold Boot Attacks Can Evade Current Mitigations. Many people tend to put laptops to ‘Sleep’ instead of shutting it down. Whether you’re at home, or at your workplace, leaving desktops and laptops unattended might have become a habit. A cybersecurity firm discovered a way to access a laptop’s data even with full disk encryption.

Posted on 16 September 2018 8:34 pm on brica.de


China tells Taiwan to halt all mainland spying, sabotage activities

BEIJING (Reuters) - China on Sunday accused Taiwan’s spy agencies of stepping up efforts to steal intelligence with the aim of “infiltration” and “sabotage”, and warned the island against further damaging already strained cross-strait ties. The relevant agencies in Taiwan must end such activities....

Posted on 16 September 2018 4:49 pm on www.reuters.com


TA18-201A: Emotet Malware

Original release date: July 20, 2018 Systems Affected Network Systems Overview Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors. This joint Technical Alert (TA) is the result of Multi-State Information Sharing & Analysis Center (MS-ISAC) analytic efforts, in coordination with the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC). Description Emotet continues to be among the most costly and destructive malware affecting SLTT governments. Its worm-like features result in rapidly spreading network-wide infection, which are difficult to combat. Emotet infections have cost SLTT governments up to $1 million per incident to remediate. Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Additionally, Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. Furthermore, Emotet is Virtual Machine-aware and can generate false indicators if run in a virtual environment. Emotet is disseminated through malspam (emails containing malicious attachments or links) that uses branding familiar to the recipient; it has even been spread using the MS-ISAC name. As of July 2018, the most recent campaigns imitate PayPal receipts, shipping notifications, or “past-due” invoices purportedly from MS-ISAC. Initial infection occurs when a user opens or clicks the malicious download link, PDF, or macro-enabled Microsoft Word document included in the malspam. Once downloaded, Emotet establishes persistence and attempts to propagate the local networks through incorporated spreader modules. Figure 1: Malicious email distributing Emotet Currently, Emotet uses five known spreader modules: NetPass.exe, WebBrowserPassView, Mail PassView, Outlook scraper, and a credential enumerator. NetPass.exe is a legitimate utility developed by NirSoft that recovers all network passwords stored on a system for the current logged-on user. This tool can also recover passwords stored in the credentials file of external drives. Outlook scraper is a tool that scrapes names and email addresses from the victim’s Outlook accounts and uses that information to send out additional phishing emails from the compromised accounts. WebBrowserPassView is a password recovery tool that captures passwords stored by Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera and passes them to the credential enumerator module. Mail PassView is a password recovery tool that reveals passwords and account details for various email clients such as Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo! Mail, and Gmail and passes them to the credential enumerator module. Credential enumerator is a self-extracting RAR file containing two components: a bypass component and a service component. The bypass component is used for the enumeration of network resources and either finds writable share drives using Server Message Block (SMB) or tries to brute force user accounts, including the administrator account. Once an available system is found, Emotet writes the service component on the system, which writes Emotet onto the disk. Emotet’s access to SMB can result in the infection of entire domains (servers and clients). Figure 2: Emotet infection process To maintain persistence, Emotet injects code into explorer.exe and other running processes. It can also collect sensitive information, including system name, location, and operating system version, and connects to a remote command and control server (C2), usually through a generated 16-letter domain name that ends in “.eu.” Once Emotet establishes a connection with the C2, it reports a new infection, receives configuration data, downloads and runs files, receives instructions, and uploads data to the C2 server. Emotet artifacts are typically found in arbitrary paths located off of the AppData\Local and AppData\Roaming directories. The artifacts usually mimic the names of known executables. Persistence is typically maintained through Scheduled Tasks or via registry keys. Additionally, Emotet creates randomly-named files in the system root directories that are run as Windows services. When executed, these services attempt to propagate the malware to adjacent systems via accessible administrative shares. Note: it is essential that privileged accounts are not used to log in to compromised systems during remediation as this may accelerate the spread of the malware...

Posted on 21 July 2018 12:24 am on www.us-cert.gov


TA18-149A: HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm

Original release date: May 29, 2018 | Last revised: May 31, 2018 Systems Affected Network systems Overview This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with two families of malware used by the North Korean government: a remote access tool (RAT), commonly known as Joanap; and a Server Message Block (SMB) worm, commonly known as Brambul. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra . FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and enable network exploitation. DHS and FBI are distributing these IP addresses and other IOCs to enable network defense and reduce exposure to any North Korean government malicious cyber activity. This alert also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on how to report incidents. If users or administrators detect activity associated with these malware families, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation. See the following links for a downloadable copy of IOCs: IOCs (.csv) IOCs (.stix) NCCIC conducted analysis on four malware samples and produced a Malware Analysis Report (MAR). MAR-10135536.3 – RAT/Worm examines the tactics, techniques, and procedures observed in the malware. Visit MAR-10135536.3 – HIDDEN COBRA RAT/Worm for the report and associated IOCs. Description According to reporting of trusted third parties, HIDDEN COBRA actors have likely been using both Joanap and Brambul malware since at least 2009 to target multiple victims globally and in the United States—including the media, aerospace, financial, and critical infrastructure sectors. Users and administrators should review the information related to Joanap and Brambul from the Operation Blockbuster Destructive Malware Report [1] in conjunction with the IP addresses listed in the .csv and .stix files provided within this alert. Like many of the families of malware used by HIDDEN COBRA actors, Joanap, Brambul, and other previously reported custom malware tools, may be found on compromised network nodes. Each malware tool has different purposes and functionalities. Joanap malware is a fully functional RAT that is able to receive multiple commands, which can be issued by HIDDEN COBRA actors remotely from a command and control server. Joanap typically infects a system as a file dropped by other HIDDEN COBRA malware, which users unknowingly downloaded either when they visit sites compromised by HIDDEN COBRA actors, or when they open malicious email attachments. During analysis of the infrastructure used by Joanap malware, the U.S. Government identified 87 compromised network nodes. The countries in which the infected IP addresses are registered are as follows: Argentina Belgium Brazil Cambodia China Colombia Egypt India Iran Jordan Pakistan Saudi Arabia Spain Sri Lanka Sweden Taiwan Tunisia Malware often infects servers and systems without the knowledge of system users and owners. If the malware can establish persistence, it could move laterally through a victim’s network and any connected networks to infect nodes beyond those identified in this alert. Brambul malware is a brute-force authentication worm that spreads through SMB shares. SMBs enable shared access to files between users on a network. Brambul malware typically spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks. Technical Details Joanap Joanap is a two-stage malware used to establish peer-to-peer communications and to manage botnets designed to enable other operations. Joanap malware provides HIDDEN COBRA actors with the ability to exfiltrate data, drop and run secondary payloads, and initialize proxy communications on a compromised Windows device. Other notable functions include file management, process management, creation and deletion of directories, and node management. Analysis indicates the malware encodes data using Rivest Cipher 4 encryption to protect its communication with HIDDEN COBRA actors...

Posted on 29 May 2018 3:18 pm on www.us-cert.gov


TA18-145A: Cyber Actors Target Home and Office Routers and Networked Devices Worldwide

Original release date: May 25, 2018 | Last revised: June 07, 2018 Systems Affected Small office/home office (SOHO) routers Networked devices Network-attached storage (NAS) devices Overview Cybersecurity researchers have identified that foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide [1]   [2] [3] . The actors used VPNFilter malware to target small office/home office (SOHO) routers. VPNFilter malware uses modular functionality to collect intelligence, exploit local area network (LAN) devices, and block actor-configurable network traffic. Specific characteristics of VPNFilter have only been observed in the BlackEnergy malware, specifically BlackEnergy versions 2 and 3. The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) recommend that owners of SOHO routers power cycle (reboot) SOHO routers and networked devices to temporarily disrupt the malware. DHS and FBI encourage SOHO router owners to report information concerning suspicious or criminal activity to their local FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at www.fbi.gov/contact-us/field . CyWatch can be contacted by phone at 855-292-3937 or by email at CyWatch@fbi.gov. Each submitted report should include as much informaiton as possible, specifically the date, time, location, type of activity, number of people, the type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. Description The size and scope of this infrastructure impacted by VPNFilter malware is significant. The persistent VPNFilter malware linked to this infrastructure targets a variety of SOHO routers and network-attached storage devices. The initial exploit vector for this malware is currently unknown. The malware uses a modular functionality on SOHO routers to collect intelligence, exploit LAN devices, and block actor-configurable network traffic. The malware can render a device inoperable, and has destructive functionality across routers, network-attached storage devices, and central processing unit (CPU) architectures running embedded Linux. The command and control mechanism implemented by the malware uses a combination of secure sockets layer (SSL) with client-side certificates for authentication and TOR protocols, complicating network traffic detection and analysis. Impact Negative consequences of VPNFilter malware infection include: temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses incurred to restore systems and files, and potential harm to an organization’s reputation. Solution DHS and FBI recommend that all SOHO router owners power cycle (reboot) their devices to temporarily disrupt the malware. Network device management interfaces—such as Telnet, SSH, Winbox, and HTTP—should be turned off for wide-area network (WAN) interfaces, and, when enabled, secured with strong passwords and encryption. Network devices should be upgraded to the latest available versions of firmware, which often contain patches for vulnerabilities. Rebooting affected devices will cause non-persistent portions of the malware to be removed from the system. Network defenders should ensure that first-stage malware is removed from the devices, and appropriate network-level blocking is in place prior to rebooting affected devices. This will ensure that second stage malware is not downloaded again after reboot. While the paths at each stage of the malware can vary across device platforms, processes running with the name "vpnfilter" are almost certainly instances of the second stage malware. Terminating these processes and removing associated processes and persistent files that execute the second stage malware would likely remove this malware from targeted devices. References [1] New VPNFilter malware targets at least 500K networking devices worldwide [2] Justice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infected Routers and Network Storage [3] VPNFilter Update - VPNFilter exploits endpoints, targets new devices Revision History May 25, 2018: Initial Version June 7, 2018: Added link to June 6, 2018 Cisco Talos blog update on VPNFilter This product is provided subject to this Notification and this Privacy & Use policy.

Posted on 25 May 2018 9:22 pm on www.us-cert.gov


TA18-141A: Side-Channel Vulnerability Variants 3a and 4

Original release date: May 21, 2018 | Last revised: May 22, 2018 Systems Affected CPU hardware implementations Overview On May 21, 2018, new variants of the side-channel central processing unit (CPU) hardware vulnerabilities known as Spectre and Meltdown were publicly disclosed . These variants—known as 3A and 4—can allow an attacker to obtain access to sensitive information on affected systems. Description Common CPU hardware implementations are vulnerable to the side-channel attacks known as Spectre and Meltdown. Meltdown is a bug that "melts" the security boundaries normally enforced by the hardware, affecting desktops, laptops, and cloud computers. Spectre is a flaw that an attacker can exploit to force a CPU to reveal its data. Variant 3a is a vulnerability that may allow an attacker with local access to speculatively read system parameters via side-channel analysis and obtain sensitive information. Variant 4 is a vulnerability that exploits “speculative bypass.” When exploited, Variant 4 could allow an attacker to read older memory values in a CPU’s stack or other memory locations. While implementation is complex, this side-channel vulnerability could allow less privileged code to Read arbitrary privileged data; and Run older commands speculatively, resulting in cache allocations that could be used to exfiltrate data by standard side-channel methods. Corresponding CVEs for Side-Channel Variants 1, 2, 3, 3a, and 4 are found below: Variant 1: Bounds Check Bypass – CVE-2017-5753 Variant 2: Branch Target Injection – CVE-2017-5715 Variant 3: Rogue Data Cache Load – CVE-2017-5754 Variant 3a: Rogue System Register Read – CVE-2018-3640   Variant 4: Speculative Store Bypass – CVE-2018-3639 Impact Side-Channel Vulnerability Variants 3a and 4 may allow an attacker to obtain access to sensitive information on affected systems. Solution Mitigation NCCIC recommends users and administrators Refer to their hardware and software vendors for patches or microcode, Use a test environment to verify each patch before implementing, and Ensure that performance is monitored for critical applications and services. Consult with vendors and service providers to mitigate any degradation effects, if possible. Consult with Cloud Service Providers to mitigate and resolve any impacts resulting from host operating system patching and mandatory rebooting, if applicable. The following table contains links to advisories and patches published in response to the vulnerabilities. This table will be updated as information becomes available. Link to Vendor Information Date Added AMD May 21, 2018 ARM May 21, 2018 Intel May 22, 2018 Microsoft May 21, 2018 Redhat May 21, 2018 References Google Project Zero Blog Bounds Check Bypass – CVE-2017-5753 Branch Target Injection – CVE-2017-5715 Rogue Data Cache Load – CVE-2017-5754 Rogue System Register Read – CVE-2018-3640 Speculative Store Bypass – CVE-2018-3639 TA18-004A – Meltdown and Spectre Side-Channel Vulnerability Guidance Revision History May 21, 2018: Initial version May 22, 2018: Added information and link to Intel in table This product is provided subject to this Notification and this Privacy & Use policy.

Posted on 21 May 2018 11:54 pm on www.us-cert.gov


TA18-106A: Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices

Original release date: April 16, 2018 | Last revised: April 20, 2018 Systems Affected Generic Routing Encapsulation (GRE) Enabled Devices Cisco Smart Install (SMI) Enabled Devices Simple Network Management Protocol (SNMP) Enabled Network Devices Overview Update: On April 19, 2018, an industry partner notified NCCIC and the FBI of malicious cyber activity that aligns with the techniques, tactics, and procedures (TTPs) and network indicators listed in this Alert. Specifically, the industry partner reported the actors redirected DNS queries to their own infrastructure by creating GRE tunnels and obtained sensitive information, which include the configuration files of networked devices. NCCIC encourages organizations to use the detection and prevention guidelines outlined in this Alert to help defend against this activity. For instance, administrators should inspect the presence of protocol 47 traffic flowing to or from unexpected addresses, or unexplained presence of GRE tunnel creation, modification, or destruction in log files. Original Post: This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the United Kingdom’s National Cyber Security Centre (NCSC). This TA provides information on the worldwide cyber exploitation of network infrastructure devices (e.g., router, switch, firewall, Network-based Intrusion Detection System (NIDS) devices) by Russian state-sponsored cyber actors. Targets are primarily government and private-sector organizations, critical infrastructure providers, and the Internet service providers (ISPs) supporting these sectors. This report contains technical details on the tactics, techniques, and procedures (TTPs) used by Russian state-sponsored cyber actors to compromise victims. Victims were identified through a coordinated series of actions between U.S. and international partners. This report builds on previous DHS reporting and advisories from the United Kingdom, Australia, and the European Union. [1-5] This report contains indicators of compromise (IOCs) and contextual information regarding observed behaviors on the networks of compromised victims. FBI has high confidence that Russian state-sponsored cyber actors are using compromised routers to conduct man-in-the-middle attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations. DHS, FBI, and NCSC urge readers to act on past alerts and advisories issued by the U.S. and U.K. Governments, allied governments, network device manufacturers, and private-sector security organizations. Elements from these alerts and advisories have been selected and disseminated in a wide variety of security news outlets and social media platforms. The current state of U.S. network devices—coupled with a Russian government campaign to exploit these devices—threatens the safety, security, and economic well-being of the United States. The purpose of this TA is to inform network device vendors, ISPs, public-sector organizations, private-sector corporations, and small office home office (SOHO) customers about the Russian government campaign, provide information to identify malicious activity, and reduce exposure to this activity. For a downloadable copy of the IOC package, see TA18-106A_TLP_WHITE.stix.xml . Description Since 2015, the U.S. Government received information from multiple sources—including private and public sector cybersecurity research organizations and allies—that cyber actors are exploiting large numbers of enterprise-class and SOHO/residential routers and switches worldwide. The U.S. Government assesses that cyber actors supported by the Russian government carried out this worldwide campaign. These operations enable espionage and intellectual property theft that supports the Russian Federation’s national security and economic goals. Legacy Protocols and Poor Security Practice Russian cyber actors leverage a number of legacy or weak protocols and service ports associated with network administration activities. Cyber actors use these weaknesses to identify vulnerable devices; extract device configurations; map internal network architectures; harvest login credentials; masquerade as privileged users; modify device firmware, operating systems, configurations; and copy or redirect victim traffic through Russian cyber-actor-controlled infrastructure. Additionally, Russian cyber actors could potentially modify or deny traffic traversing through the router. Russian cyber actors do not need to leverage zero-day vulnerabilities or install malware to exploit these devices. Instead, cyber actors take advantage of the following vulnerabilities: devices with legacy unencrypted protocols or unauthenticated services, devices insufficiently hardened before installation, and devices no longer supported with security patches by manufacturers or vendors (end-of-life devices)...

Posted on 16 April 2018 8:25 pm on www.us-cert.gov


TA18-086A: Brute Force Attacks Conducted by Cyber Actors

Original release date: March 27, 2018 | Last revised: March 28, 2018 Systems Affected Networked systems Overview According to information derived from FBI investigations, malicious cyber actors are increasingly using a style of brute force attack known as password spraying against organizations in the United States and abroad. On February 2018, the Department of Justice in the Southern District of New York, indicted nine Iranian nationals, who were associated with the Mabna Institute, for computer intrusion offenses related to activity described in this report. The techniques and activity described herein, while characteristic of Mabna actors, are not limited solely to use by this group. The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) are releasing this Alert to provide further information on this activity. Description In a traditional brute-force attack, a malicious actor attempts to gain unauthorized access to a single account by guessing the password. This can quickly result in a targeted account getting locked-out, as commonly used account-lockout policies allow three to five bad attempts during a set period of time. During a password-spray attack (also known as the “low-and-slow” method), the malicious actor attempts a single password against many accounts before moving on to attempt a second password, and so on. This technique allows the actor to remain undetected by avoiding rapid or frequent account lockouts. Password spray campaigns typically target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols. An actor may target this specific protocol because federated authentication can help mask malicious traffic. Additionally, by targeting SSO applications, malicious actors hope to maximize access to intellectual property during a successful compromise.  Email applications are also targeted. In those instances, malicious actors would have the ability to utilize inbox synchronization to (1) obtain unauthorized access to the organization's email directly from the cloud, (2) subsequently download user mail to locally stored email files, (3) identify the entire company’s email address list, and/or (4) surreptitiously implements inbox rules for the forwarding of sent and received messages. Technical Details Traditional tactics, techniques, and procedures (TTPs) for conducting the password-spray attacks are as follows: Using social engineering tactics to perform online research (i.e., Google search, LinkedIn, etc.) to identify target organizations and specific user accounts for initial password spray Using easy-to-guess passwords (e.g., “Winter2018”, “Password123!”) and publicly available tools, execute a password spray attack against targeted accounts by utilizing the identified SSO or web-based application and federated authentication method Leveraging the initial group of compromised accounts, downloading the Global Address List (GAL) from a target’s email client, and performing a larger password spray against legitimate accounts Using the compromised access, attempting to expand laterally (e.g., via Remote Desktop Protocol) within the network, and performing mass data exfiltration using File Transfer Protocol tools such as FileZilla Indicators of a password spray attack include: A massive spike in attempted logons against the enterprise SSO portal or web-based application; Using automated tools, malicious actors attempt thousands of logons, in rapid succession, against multiple user accounts at a victim enterprise, originating from a single IP address and computer (e.g., a common User Agent String). Attacks have been seen to run for over two hours. Employee logons from IP addresses resolving to locations inconsistent with their normal locations. Typical Victim Environment The vast majority of known password spray victims share some of the following characteristics [1] [2] : Use SSO or web-based applications with federated authentication method Lack multifactor authentication (MFA) Allow easy-to-guess passwords (e.g., “Winter2018”, “Password123!”) Use inbox synchronization, allowing email to be pulled from cloud environments to remote devices Allow email forwarding to be setup at the user level Limited logging setup creating difficulty during post-event investigations Impact A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include: Temporary or permanent loss of sensitive or proprietary information; Disruption to regular operations; Financial losses incurred to restore systems and files; and Potential harm to an organization’s reputation...

Posted on 28 March 2018 1:00 am on www.us-cert.gov


TA18-074A: Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors

Original release date: March 15, 2018 | Last revised: March 16, 2018 Systems Affected Domain Controllers File Servers Email Servers Overview This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This alert provides information on Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. It also contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by Russian government cyber actors on compromised victim networks. DHS and FBI produced this alert to educate network defenders to enhance their ability to identify and reduce exposure to malicious activity. DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks. After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS). For a downloadable copy of IOC packages and associated files, see: TA18-074A_TLP_WHITE.csv TA18-074A_TLP_WHITE.stix.xml MIFR-10127623_TLP_WHITE.pdf MIFR-10127623_TLP_WHITE_stix.xml MIFR-10128327_TLP_WHITE.pdf MIFR-10128327_TLP_WHITE_stix.xml MIFR-10128336_TLP_WHITE.pdf MIFR-10128336_TLP_WHITE_stix.xml MIFR-10128830­_TLP_WHITE.pdf MIFR-10128830­_TLP_WHITE_stix.xml MIFR-10128883_TLP_WHITE.pdf MIFR-10128883_TLP_WHITE_stix.xml MIFR-10135300_TLP_WHITE.pdf MIFR-10135300_TLP_WHITE_stix.xml Contact DHS or law enforcement immediately to report an intrusion and to request incident response resources or technical assistance. Description Since at least March 2016, Russian government cyber actors—hereafter referred to as “threat actors”—targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. Analysis by DHS and FBI, resulted in the identification of distinct indicators and behaviors related to this activity. Of note, the report Dragonfly: Western energy sector targeted by sophisticated attack group, released by Symantec on September 6, 2017, provides additional information about this ongoing campaign. [1] This campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral organizations such as trusted third-party suppliers with less secure networks, referred to as “staging targets” throughout this alert. The threat actors used the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims. NCCIC and FBI judge the ultimate objective of the actors is to compromise organizational networks, also referred to as the “intended target.” Technical Details The threat actors in this campaign employed a variety of TTPs, including spear-phishing emails (from compromised legitimate account), watering-hole domains, credential gathering, open-source and network reconnaissance, host-based exploitation, and targeting industrial control system (ICS) infrastructure. Using Cyber Kill Chain for Analysis DHS used the Lockheed-Martin Cyber Kill Chain model to analyze, discuss, and dissect malicious cyber activity. Phases of the model include reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on the objective. This section will provide a high-level overview of threat actors’ activities within this framework.   Stage 1: Reconnaissance The threat actors appear to have deliberately chosen the organizations they targeted, rather than pursuing them as targets of opportunity. Staging targets held preexisting relationships with many of the intended targets. DHS analysis identified the threat actors accessing publicly available information hosted by organization-monitored networks during the reconnaissance phase. Based on forensic analysis, DHS assesses the threat actors sought information on network and organizational design and control system capabilities within organizations. These tactics are commonly used to collect the information needed for targeted spear-phishing attempts. In some cases, information posted to company websites, especially information that may appear to be innocuous, may contain operationally sensitive information...

Posted on 15 March 2018 3:40 pm on www.us-cert.gov


Meltdown and Spectre Vulnerabilities (Update I)

This updated alert is a follow-up to the updated alert titled ICS-ALERT-18-011-01 Meltdown and Spectre Vulnerabilities (Update H) that was published July 10, 2018, on the NCCIC/ICS-CERT website.

Posted on 11 January 2018 7:51 pm on ics-cert.us-cert.gov


TA18-004A: Meltdown and Spectre Side-Channel Vulnerability Guidance

Original release date: January 04, 2018 | Last revised: May 01, 2018 Systems Affected CPU hardware implementations Overview On January 3, 2018, the National Cybersecurity and Communications Integration Center (NCCIC) became aware of a set of security vulnerabilities—known as Meltdown and Spectre —that affect modern computer processors. These vulnerabilities can be exploited to steal sensitive data present in a computer systems' memory. Description CPU hardware implementations are vulnerable to side-channel attacks, referred to as Meltdown and Spectre. Meltdown is a bug that "melts" the security boundaries normally enforced by the hardware, affecting desktops, laptops, and cloud computers. Spectre is a flaw an attacker can exploit to force a program to reveal its data. The name derives from "speculative execution"—an optimization method a computer system performs to check whether it will work to prevent a delay when actually executed. Spectre affects almost all devices including desktops, laptops, cloud servers, and smartphones. More details of these attacks can be found here: Common Vulnerability and Exposure (CVE): Rogue Data Cache Load: CVE-2017-5754 (Meltdown) https://nvd.nist.gov/vuln/detail/CVE-2017-5754 Bounds Check Bypass: CVE-2017-5753 (Spectre) https://nvd.nist.gov/vuln/detail/CVE-2017-5753 Branch Target Injection: CVE-2017-5715 (Spectre Variant 2) https://nvd.nist.gov/vuln/detail/CVE-2017-5715 CERT/CC’s Vulnerability Note VU#584653 Impact An attacker can gain access to the system by establishing command and control presence on a machine via malicious Javascript, malvertising, or phishing. Once successful, the attacker could escalate privileges to exploit Meltdown and Spectre vulnerabilities, revealing sensitive information from a computer’s kernel memory, including keystrokes, passwords, encryption keys, and other valuable information. Solution Mitigation NCCIC encourages users and administrators to refer to their hardware and software vendors for the most recent information. In the case of Spectre, the vulnerability exists in CPU architecture rather than in software, and is not easily patched; however, this vulnerability is more difficult to exploit.  After patching, performance impacts may vary, depending on use cases. NCCIC recommends administrators ensure that performance is monitored for critical applications and services, and work with their vendor(s) and service provider(s) to mitigate the effect, if possible. Additionally, NCCIC recommends users and administrators who rely on cloud infrastructure work with their CSP to mitigate and resolve any impacts resulting from host OS patching and mandatory rebooting. For machines running Windows Server, a number of registry changes must be completed in addition to installation of the patches.  NCCIC recommends verifying your Windows Server version before downloading applicable patches and performing registry edits.  A list of registry changes can be found at https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution . Microsoft has released guidance and an update that helps to mitigate against CVE-2017-5715 – the branch target injection vulnerability commonly known as Spectre Variant 2.  As always, NCCIC recommends testing patches before implemenation. More information can be found at https://support.microsoft.com/en-sg/help/4078407/update-to-enable-mitigation-against-spectre-variant-2 . Antivirus Typical antivirus programs are built on a signature management system, and may not be able to detect the vulnerabilities. NCCIC recommends checking with your antivirus vendor to confirm compatibility with Meltdown and Spectre patches. Microsoft recommends third-party antivirus vendors add a change to the registry key of the machine running the antivirus software. Without it, that machine will not receive any of the following fixes from Microsoft: Windows Update Windows Server Update Services System Center Configuration Manager  More information can be found at https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software . "Total Meltdown" Users running Windows 7 64-bit or Windows Server 2008 R2 64-bit operating systems on Intel processors who have installed Microsoft’s fix for Meltdown and Spectre in January or February of 2018 should install the latest patch immediately. According to researcher Ulf Frisk, the previous Microsoft patches for Meltdown and Spectre contain a vulnerability that could allow users and apps to read and write kernel memory, thereby gaining full control over a system...

Posted on 4 January 2018 8:47 pm on www.us-cert.gov


WAGO PFC200

NCCIC is aware of a public report of an improper authentication vulnerability affecting WAGO PFC200, a Programmable Logic Controller (PLC) device. According to this report, the vulnerability is exploitable by sending a TCP payload on the bound port. This report was released after attempted coordination with WAGO. NCCIC has notified the affected vendor of the report and has asked the vendor to confirm the vulnerability and identify mitigations. NCCIC is issuing this alert to provide notice of the report and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.

Posted on 7 December 2017 11:11 pm on ics-cert.us-cert.gov


TA17-318B: HIDDEN COBRA – North Korean Trojan: Volgmer

Original release date: November 14, 2017 | Last revised: November 22, 2017 Systems Affected Network systems Overview This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a Trojan malware variant used by the North Korean government—commonly known as Volgmer. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra . FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI are distributing these IP addresses to enable network defense and reduce exposure to North Korean government malicious cyber activity. This alert includes IOCs related to HIDDEN COBRA, IP addresses linked to systems infected with Volgmer malware, malware descriptions, and associated signatures. This alert also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on reporting incidents. If users or administrators detect activity associated with the Volgmer malware, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation. For a downloadable copy of IOCs, see: IOCs ( .csv ) IOCs ( .stix ) NCCIC conducted analysis on five files associated with or identified as Volgmer malware and produced a Malware Analysis Report (MAR). MAR-10135536-D examines the tactics, techniques, and procedures observed. For a downloadable copy of the MAR, see: MAR ( .pdf ) MAR IOCs ( .stix ) Description Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. Since at least 2013, HIDDEN COBRA actors have been observed using Volgmer malware in the wild to target the government, financial, automotive, and media industries. It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections; however, HIDDEN COBRA actors use a suite of custom tools, some of which could also be used to initially compromise a system. Therefore, it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer The U.S. Government has analyzed Volgmer’s infrastructure and have identified it on systems using both dynamic and static IP addresses. At least 94 static IP addresses were identified, as well as dynamic IP addresses registered across various countries. The greatest concentrations of dynamic IPs addresses are identified below by approximate percentage: India (772 IPs) 25.4 percent Iran (373 IPs) 12.3 percent Pakistan (343 IPs) 11.3 percent Saudi Arabia (182 IPs) 6 percent Taiwan (169 IPs) 5.6 percent Thailand (140 IPs) 4.6 percent Sri Lanka (121 IPs) 4 percent China (82 IPs, including Hong Kong (12)) 2.7 percent Vietnam (80 IPs) 2.6 percent Indonesia (68 IPs) 2.2 percent Russia (68 IPs) 2.2 percent Technical Details As a backdoor Trojan, Volgmer has several capabilities including: gathering system information, updating service registry keys, downloading and uploading files, executing commands, terminating processes, and listing directories. In one of the samples received for analysis, the US-CERT Code Analysis Team observed botnet controller functionality. Volgmer payloads have been observed in 32-bit form as either executables or dynamic-link library (.dll) files. The malware uses a custom binary protocol to beacon back to the command and control (C2) server, often via TCP port 8080 or 8088, with some payloads implementing Secure Socket Layer (SSL) encryption to obfuscate communications. Malicious actors commonly maintain persistence on a victim’s system by installing the malware-as-a-service. Volgmer queries the system and randomly selects a service in which to install a copy of itself. The malware then overwrites the ServiceDLL entry in the selected service's registry entry. In some cases, HIDDEN COBRA actors give the created service a pseudo-random name that may be composed of various hardcoded words. Detection and Response This alert’s IOC files provide HIDDEN COBRA indicators related to Volgmer. DHS and FBI recommend that network administrators review the information provided, identify whether any of the provided IP addresses fall within their organizations’ allocated IP address space, and—if found—take necessary measures to remove the malware...

Posted on 14 November 2017 9:00 pm on www.us-cert.gov


TA17-318A: HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL

Original release date: November 14, 2017 | Last revised: November 22, 2017 Systems Affected Network systems Overview This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a remote administration tool (RAT) used by the North Korean government—commonly known as FALLCHILL. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra . FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI are distributing these IP addresses to enable network defense and reduce exposure to any North Korean government malicious cyber activity. This alert includes IOCs related to HIDDEN COBRA, IP addresses linked to systems infected with FALLCHILL malware, malware descriptions, and associated signatures. This alert also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on reporting incidents. If users or administrators detect activity associated with the FALLCHILL malware, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation. For a downloadable copy of IOCs, see: IOCs ( .csv ) IOCs ( .stix ) NCCIC conducted analysis on two samples of FALLCHILL malware and produced a Malware Analysis Report (MAR). MAR-10135536-A examines the tactics, techniques, and procedures observed in the malware. For a downloadable copy of the MAR, see: MAR ( .pdf ) MAR IOCs ( .stix ) Description According to trusted third-party reporting, HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace, telecommunications, and finance industries. The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies. FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors. HIDDEN COBRA actors use an external tool or dropper to install the FALLCHILL malware-as-a-service to establish persistence. Because of this, additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL. During analysis of the infrastructure used by FALLCHILL malware, the U.S. Government identified 83 network nodes. Additionally, using publicly available registration information, the U.S. Government identified the countries in which the infected IP addresses are registered. Technical Details FALLCHILL is the primary component of a C2 infrastructure that uses multiple proxies to obfuscate network traffic between HIDDEN COBRA actors and a victim’s system. According to trusted third-party reporting, communication flows from the victim’s system to HIDDEN COBRA actors using a series of proxies as shown in figure 1. Figure 1. HIDDEN COBRA Communication Flow FALLCHILL uses fake Transport Layer Security (TLS) communications, encoding the data with RC4 encryption with the following key: [0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82]. FALLCHILL collects basic system information and beacons the following to the C2: operating system (OS) version information, processor information, system name, local IP address information, unique generated ID, and media access control (MAC) address. FALLCHILL contains the following built-in functions for remote operations that provide various capabilities on a victim’s system: retrieve information about all installed disks, including the disk type and the amount of free space on the disk; create, start, and terminate a new process and its primary thread; search, read, write, move, and execute files; get and modify file or directory timestamps; change the current directory for a process or file; and delete malware and artifacts associated with the malware from the infected system. Detection and Response This alert’s IOC files provide HIDDEN COBRA indicators related to FALLCHILL. DHS and FBI recommend that network administrators review the information provided, identify whether any of the provided IP addresses fall within their organizations’ allocated IP address space, and—if found—take necessary measures to remove the malware...

Posted on 14 November 2017 8:09 pm on www.us-cert.gov


Eaton ELCSoft Vulnerabilities

NCCIC/ICS-CERT is aware of a public report of buffer overflow vulnerabilities affecting Eaton ELCSoft, a PLC programming software for Eaton Logic Control (ELC) controllers. According to the public report, which was coordinated with ICS-CERT prior to its public release, researcher Ariele Caltabiano (kimiya) working with Trend Micro's Zero Day Initiative, identified that an attacker can leverage these vulnerabilities to execute arbitrary code in the context of the process. ICS-CERT has notified the affected vendor, who has reported that they are planning to address the vulnerabilities. No timeline has been provided. ICS-CERT is issuing this alert to provide notice of the report and to identify baseline mitigations for reducing risks to these and other cybersecurity attacks.

Posted on 4 August 2017 10:11 pm on ics-cert.us-cert.gov


CAN Bus Standard Vulnerability

NCCIC/ICS-CERT is aware of a public report of a vulnerability in the Controller Area Network (CAN) Bus standard with proof-of-concept (PoC) exploit code affecting CAN Bus, a broadcast based network standard. According to the public report, which was coordinated with ICS-CERT prior to its public release, researchers Andrea Palanca, Eric Evenchick, Federico Maggi, and Stefano Zanero identified a vulnerability exploiting a weakness in the CAN protocol that allows an attacker to perform a denial-of-service (DoS) attack.

Posted on 28 July 2017 10:34 pm on ics-cert.us-cert.gov


CRASHOVERRIDE Malware

CRASHOVERRIDE, aka, Industroyer, is the fourth family of malware publically identified as targeting industrial control systems (ICS). It uses a modular design, with payloads that target several industrial communication protocols and are capable of directly controlling switches and circuit breakers. Additional modules include a data-wiping component and a module capable of causing a denial of service (DoS) to Siemens SIPROTEC devices.

Posted on 25 July 2017 7:45 pm on ics-cert.us-cert.gov


Petya Malware Variant (Update C)

This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-181-01B Petya Malware Variant that was published July 5, 2017, on the NCCIC/ICS-CERT web site. ICS-CERT is aware of reports of a variant of the Petya malware that is affecting several countries. ICS-CERT is releasing this alert to enhance the awareness of critical infrastructure asset owners/operators about the Petya variant and to identify product vendors that have issued recommendations to mitigate the risk associated with this malware.

Posted on 1 July 2017 12:09 am on ics-cert.us-cert.gov


Indicators Associated With WannaCry Ransomware (Update I)

This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-135-01H Indicators Associated With WannaCry Ransomware that was published May 31, 2017, on the NCCIC/ICS-CERT web site.

Posted on 16 May 2017 2:16 am on ics-cert.us-cert.gov


BrickerBot Permanent Denial-of-Service Attack (Update A)

This updated alert is a follow-up to the original alert titled ICS-ALERT-17-102-01A BrickerBot Permanent Denial-of-Service Attack that was published April 12, 2017, on the NCCIC/ICS-CERT web site. ICS-CERT is aware of open-source reports of “BrickerBot” attacks, which exploit hard-coded passwords in IoT devices in order to cause a permanent denial of service (PDoS). This family of botnets, which consists of BrickerBot.1 and BrickerBot.2, was described in a Radware Attack Report.

Posted on 12 April 2017 6:02 pm on ics-cert.us-cert.gov


Miele Professional PG 8528 Vulnerability

NCCIC/ICS-CERT is aware of a public report of a directory traversal vulnerability with proof-of-concept (PoC) exploit code affecting the embedded webserver (“PST10 WebServer”) in Miele Professional PG 8528, a large capacity washer and disinfector used in hospitals and laboratory settings to disinfect medical and laboratory equipment. According to this report, the vulnerability is remotely exploitable.

Posted on 30 March 2017 5:10 pm on ics-cert.us-cert.gov


MEMS Accelerometer Hardware Design Flaws (Update A)

This updated alert is a follow-up to the original alert titled ICS-ALERT-17-073-01 MEMS Accelerometer Hardware Design Flaws that was published March 14, 2017, on the NCCIC/ICS-CERT web site. ICS-CERT is aware of public reporting of hardware design flaws in some capacitive micro-electromechanical systems (MEMS) accelerometer sensors, which are produced by the following manufacturers: Robert Bosch GmbH, STMicroelectronics, InvenSense Inc., Analog Devices Inc., and Murata Manufacturing Company.

Posted on 14 March 2017 4:10 pm on ics-cert.us-cert.gov